Change the X-Frame-Options to Allow All Domains

Change the X-Frame-Options to allow all domains

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.

Apache X-Frame-Options Allow-From multiple domains

Header always append X-Frame-Options ALLOW-FROM=site1
Header always append X-Frame-Options ALLOW-FROM=site2
Header always append X-Frame-Options ALLOW-FROM=site3

This way is OK.

But I got an error when i first using it.

Maybe i make a wrong character.

X-Frame-Options in nginx to allow all domains

Solved it by changing proxy_hide_header values in /etc/nginx/sites-available/default file like so:

proxy_hide_header X-Frame-Options;

Needed to restart nginx as well as use pm2 to restart my nodejs server (for some reason, it didn't work till I made a small change to my server and restarted it).

How to set 'X-Frame-Options' on iframe?

You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource ( in your example). They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. For more information see The X-Frame-Options response header on MDN.

A quick inspection of the headers (shown here in Chrome developer tools) reveals the X-Frame-Options value returned from the host.

Sample Image

Setting X-Frame-Options in PHP

Use below in your php file which outputs response to client side.

header("X-Frame-Options: DENY");

DENY will fully block. You may try SAMEORIGIN option also.

header("X-Frame-Options: SAMEORIGIN");

If you are using apache web server, you can directly set in httpd.conf also.

<Directory />
Header always set X-Frame-Options "SAMEORIGIN"

Related Topics

Leave a reply